otr.js: Off The Record Protocol in JavaScript

Before we talk about otr.js, we have to talk about crypto in JavaScript. It’s important to discuss issues with cryptography, because bugs are much more severe than in ‘normal’ code. If your Rails app has a bug, maybe some emails don’t get sent out. If your crypto has a flow, your secrets are all wide open.

So, before discussing a JavaScript crypto library, I must point you to the first line of the README:

This library hasn't been properly vetted by security researchers. Do not use in life and death situations!

Furthermore, for more on the issues of crypto and JavaScript specifically, I refer you to this post by Matasano Security, whose opinions I trust when it comes to security.

Okay, now that we’ve got that out of the way, let’s talk about otr.js! OTR is a protocol which allows you to have private conversations over IM. As you may guess, otr.js is an implementation of this protocol in JavaScript.

There’s a lot of setup required, so please read the README, but once you’ve got it set up, it’s pretty easy to use:

var newmsg = "Message to userA."
buddy.sendMsg(newmsg)

Not that hard, right? There’s a ton of different options, though they are pretty well-documented. What is odd though, is that apparently messages aren’t encrypted at first; you must call

buddy.sendQueryMsg()

to make that happen. I believe this is because the OTR protocol itself allows for unencrypted messages, and otr.js seems to be a lower-level library that others will build upon, rather than something you’d use directly.